Trojan.Krypt.KBAH
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Krypt.KBAH |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
056db75dc1165a338cf1ca5e6569d0a6
SHA1:
9b5b2f11f22b1a110ab9114db5b20ffd2bac63d0
SHA256:
C3AACE904D2D22FE932C5F8F90BC7666DF7A4AFA9A781A0D60D8A35ECC9132F8
File Size:
1.04 MB, 1044816 bytes
|
|
MD5:
ab7b75e70529f24ced66db69784dc9e4
SHA1:
09b880fe0e410ef6b6cea1decacbc05e25c7b549
SHA256:
B484B0D106938E4F23CD006A7FF656E9DC16FB3965EB0DF9454B8A772A2767D7
File Size:
2.09 MB, 2089008 bytes
|
|
MD5:
058f9dabecfc011985f1392b5a4fca4d
SHA1:
70666b0c52bef2fe3d0c84c61f3221b92a6bf1c6
SHA256:
3FB3EED1B0DC5A39B0C3A980495B4162D51F28BC80F19CD954F81414CEB583DD
File Size:
2.59 MB, 2590208 bytes
|
|
MD5:
e9c110a584ceb767be5d38e8e3554e2b
SHA1:
112c44a5af8e6f6aed90217a9a95f57270585e14
SHA256:
D21ACEAA76CEB7FD55A4DA88E2BF29D411D4F7E4E5663D537C0BDD12943BA4D9
File Size:
1.25 MB, 1247232 bytes
|
|
MD5:
efeddb20ce16d25a550adb3ebc7e8bbf
SHA1:
0f7825d745324bbc8ffbb7da1ab2427ac81ea2c1
SHA256:
D5D45B67AC81A7F5698784587207BAABB4A7D5B17601438163677CC5DA1D7AC5
File Size:
2.88 MB, 2875392 bytes
|
Show More
|
MD5:
9c8d479f2ee39c43e0e3981e44969d5e
SHA1:
3ac0ea6a4ec6fd51898ead33c0133c3741d8762b
SHA256:
4428E25D655739EDE32E83A5722469517F4E7C6BBDA62B74CD5373C91E027A6C
File Size:
2.85 MB, 2851328 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have resources
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name | Microsoft Corporation |
| File Description | Microsoft Management Console |
| File Version | 10.0.14393.0 (rs1_release.160715-1616) |
| Legal Copyright | © Microsoft Corporation. All rights reserved. |
| Product Name | Microsoft Management Console |
| Product Version | 10.0.14393.0 (rs1_release.160715-1616) |
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Microsoft Corporation | Microsoft Code Signing PCA 2011 | Hash Mismatch |
| Microsoft Windows | Microsoft Windows Production PCA 2011 | Hash Mismatch |
File Traits
- dll
- HighEntropy
- ntdll
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 9,342 |
|---|---|
| Potentially Malicious Blocks: | 1,526 |
| Whitelisted Blocks: | 5,514 |
| Unknown Blocks: | 2,302 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
x
x
x
x
x
?
?
0
x
0
0
0
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
0
?
?
?
0
0
0
0
?
?
?
0
0
0
x
0
0
?
x
?
x
?
?
?
?
?
?
?
0
0
?
0
0
0
?
?
?
?
?
0
0
?
x
?
x
x
0
0
0
1
0
0
0
x
x
0
0
0
0
0
0
0
x
x
x
?
x
0
x
x
0
x
?
x
0
0
x
x
x
x
x
x
x
x
x
0
0
x
0
0
0
x
?
0
x
?
0
x
x
x
x
x
x
x
x
?
x
x
x
?
0
0
1
1
0
0
x
0
0
0
0
0
0
0
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
0
0
x
0
0
0
?
x
?
x
0
0
?
?
?
?
0
0
0
x
0
0
x
0
?
0
0
0
0
0
x
0
0
x
?
1
0
?
x
x
0
x
?
x
x
0
0
0
?
0
x
0
0
0
x
0
0
x
x
0
?
?
x
x
0
0
0
0
x
x
x
x
x
x
0
?
0
0
x
?
0
0
0
0
0
0
0
0
0
0
x
1
0
0
?
?
?
?
0
?
x
x
0
x
?
?
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
0
?
?
x
x
0
0
?
0
x
x
x
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
0
x
x
0
0
0
0
0
x
x
x
x
x
0
0
0
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
x
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
x
0
0
x
0
0
x
0
x
x
0
x
x
0
x
0
x
x
x
0
x
x
x
x
x
0
0
x
x
0
x
0
x
x
0
0
0
0
x
0
x
x
x
x
0
x
x
x
0
0
x
0
x
x
x
0
x
x
x
x
0
x
0
x
x
0
0
x
0
x
x
x
x
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
x
0
0
x
x
x
0
0
x
x
x
x
x
x
x
0
0
0
x
x
x
x
0
x
0
0
x
x
0
0
x
x
x
x
x
0
0
x
x
x
0
0
x
x
0
0
0
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
x
0
x
0
x
x
0
0
0
0
x
x
x
x
0
0
x
x
x
x
x
x
x
x
0
0
x
x
x
x
0
x
0
x
x
x
x
x
x
x
x
0
x
0
x
x
x
0
0
x
x
0
0
x
x
0
x
x
x
x
x
x
x
x
0
0
x
x
x
x
0
x
x
0
0
x
x
x
0
x
0
0
x
x
x
x
0
x
x
x
x
x
x
x
0
x
x
0
x
x
0
x
x
0
0
x
0
x
0
0
x
x
0
x
x
0
x
x
0
x
0
x
x
0
x
0
0
x
0
x
x
x
x
0
0
0
0
0
x
x
0
x
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
x
x
0
x
0
x
x
0
0
x
0
0
x
0
x
x
0
0
x
0
0
x
0
x
x
0
0
x
0
0
x
x
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
x
0
0
x
x
x
x
x
0
0
0
0
0
0
0
x
0
x
x
x
x
0
0
x
0
x
x
0
0
0
0
0
0
0
x
x
0
0
x
0
0
x
x
x
x
x
x
0
0
x
x
x
0
x
x
x
0
x
0
x
0
0
x
0
0
0
0
0
x
0
0
0
x
x
0
x
0
x
x
0
x
0
x
0
x
x
x
x
0
x
x
x
0
x
x
0
x
0
0
0
x
x
0
x
x
0
x
x
x
x
0
0
x
x
x
0
0
0
x
x
x
x
x
x
x
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
x
x
x
x
0
0
x
x
0
x
0
0
x
x
0
0
x
x
x
x
x
x
0
x
0
0
0
x
x
0
0
0
0
x
x
0
x
0
0
x
x
0
x
0
x
0
x
x
x
0
x
x
x
x
0
x
0
0
0
0
0
0
0
0
x
x
x
x
0
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
2
0
0
0
x
0
x
0
x
0
0
0
0
x
x
0
x
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
x
x
x
x
0
0
x
x
x
0
0
0
0
x
0
x
0
x
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
x
0
x
x
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
x
0
0
x
0
0
0
0
0
0
0
x
0
0
0
x
0
x
0
0
x
0
1
x
0
0
0
0
0
0
x
x
x
0
0
x
0
0
x
0
x
0
x
0
0
0
x
x
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
x
0
0
x
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
x
0
x
x
0
0
x
x
0
0
0
0
x
x
0
0
x
0
x
0
x
x
0
x
x
0
x
0
0
0
0
0
0
x
0
0
x
x
0
0
x
x
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
x
x
x
x
x
x
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
0
0
x
x
x
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
x
0
x
x
x
x
x
x
x
0
0
0
x
x
x
0
0
0
0
0
x
x
0
x
0
0
0
0
0
0
0
x
x
0
0
0
x
x
x
x
x
x
x
x
0
0
0
0
0
x
x
x
0
0
0
0
x
0
x
x
x
0
0
0
x
x
0
0
0
x
x
x
0
x
x
x
0
0
x
x
x
0
0
0
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
0
1
0
0
0
0
0
0
0
x
0
x
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
x
x
x
x
x
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
x
0
0
0
0
x
1
x
0
0
0
0
x
0
x
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
x
x
0
0
0
0
0
0
x
0
x
x
x
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
x
0
0
x
x
0
x
0
0
0
x
x
x
x
0
x
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
0
0
0
0
0
0
0
x
0
0
x
0
1
0
0
0
1
0
0
x
0
x
0
2
0
x
x
0
0
0
0
0
0
x
x
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
x
x
0
0
0
0
0
0
0
0
x
x
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Krypt.KBAD
- Krypt.KBAH
- Kryptik.KBDA
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Process Shell Execute |
|
| Anti Debug |
|
| Process Manipulation Evasion |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\9b5b2f11f22b1a110ab9114db5b20ffd2bac63d0_0001044816.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\09b880fe0e410ef6b6cea1decacbc05e25c7b549_0002089008.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\70666b0c52bef2fe3d0c84c61f3221b92a6bf1c6_0002590208.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\112c44a5af8e6f6aed90217a9a95f57270585e14_0001247232.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0f7825d745324bbc8ffbb7da1ab2427ac81ea2c1_0002875392.,LiQMAxHB
|
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\3ac0ea6a4ec6fd51898ead33c0133c3741d8762b_0002851328.,LiQMAxHB
|
